NGINX 1.31.3 Mainline with Brotli, TLS 1.3, OpenSSL 4.0.1, HTTP/2 and HTTP/3 for Red Hat Enterprise Linux, CentOS, Rocky, Oracle, Alma Linux EL7/EL8/EL9/EL10

nginx 1.31.3 Mainline with HTTP/3 support added to EL7, EL8, EL9 and EL10 repositories. Brotli compression module from Google, http2, ngx_cache_purge and ngx_http_geoip2 modules are built in. OpenSSL is built dynamically using official OpenSSL 4.0.1 with QUIC support.

Major changes:

*) Security: heap buffer overflow might occur in a worker process when using the map directive with regex matching if the map variable was included in a string expression after a capture affected by this map; a similar issue might happen when using a non-cacheable variable in a string expression (CVE-2026-42533). Thanks to Mufeed VH of Winfunc Research and Maxim Dounin.

*) Security: uninitialized memory access might occur when using unnamed regex captures with the “slice” directive or background cache update, which could result in worker process memory disclosure or worker process termination (CVE-2026-60005).

*) Security: use-after-free might occur when processing a specially crafted proxied backend response with the ngx_http_ssi_filter_module (CVE-2026-56434). Thanks to P4P3R-HAK.

*) Change: the size of headers and trailers in HTTP/2 responses in the ngx_http_proxy_v2_module and ngx_http_grpc_module is now limited with “proxy_buffer_size” and “grpc_buffer_size” directives.

*) Change: loading of external entities is now disabled in the ngx_http_xslt_filter_module. Thanks to Maxim Dounin.

*) Feature: the “xml_external_entities” directive in the ngx_http_xslt_filter_module. Thanks to Maxim Dounin.

*) Feature: the “proxy_socket_sndbuf”, “proxy_socket_rcvbuf”, “fastcgi_socket_sndbuf”, “fastcgi_socket_rcvbuf”, “grpc_socket_sndbuf”, “grpc_socket_rcvbuf”, “scgi_socket_sndbuf”, “scgi_socket_rcvbuf”, “uwsgi_socket_sndbuf”, “uwsgi_socket_rcvbuf”, “tunnel_socket_sndbuf”, and “tunnel_socket_rcvbuf” directives.

*) Feature: cache line size detection for loongarch64. Thanks to Miao Wang.

*) Bugfix: now nginx rejects HTTP/2 requests with out-of-order pseudo-headers.

*) Bugfix: in flow control in the ngx_http_v2_module.

*) Bugfix: “[error] upstream sent frame for unknown stream” and “[crit] cache file … contains invalid header” messages might appear in logs when sending a cached HTTP/2 response in the ngx_http_proxy_v2_module if the “proxy_cache_revalidate” directive was used.

*) Bugfix: nginx might send the “Upgrade” header line in HTTP/2 and HTTP/3 responses.

*) Bugfix: in the ngx_http_perl_module. Thanks to Maxim Dounin.

*) Bugfix: IPv6 fragmentation might not be disabled when using QUIC on some operating systems.

*) Bugfix: in the ngx_http_auth_basic_module on Solaris.

*) Bugfixes and improvements in the ngx_http_tunnel_module.

Leave a Reply

Your email address will not be published. Required fields are marked *